Skip to site navigation (Press enter)

[webkit-changes] [124739] trunk

commit-queue Mon, 06 Aug 2012 00:50:02 -0700

Title: [124739] trunk

Revision: 124739
Author: [email protected]
Date: 2012-08-06 00:50:14 -0700 (Mon, 06 Aug 2012)

Log Message

Crash in WebCore::RenderListItem::updateMarkerLocation
https://bugs.webkit.org/show_bug.cgi?id=90476


Patch by Douglas Stockwell <[email protected]> on 2012-08-06
Reviewed by Abhishek Arya.

Source/WebCore:

In some cases an anonymous block is destroyed when its last child is
removed. RenderListItem did not expect this and has it's own logic for
cleaning up such blocks when the list marker is removed. Detect this
case in RenderBlock::removeChild to defer to the logic in RenderListItem::updateListMarker.

Test: fast/lists/list-marker-remove-crash.html

* rendering/RenderBlock.cpp:
(WebCore::RenderBlock::removeChild):

LayoutTests:

* fast/lists/list-marker-remove-crash-expected.txt: Added.
* fast/lists/list-marker-remove-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/rendering/RenderBlock.cpp

Added Paths

trunk/LayoutTests/fast/lists/list-marker-remove-crash-expected.txt
trunk/LayoutTests/fast/lists/list-marker-remove-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (124738 => 124739)


--- trunk/LayoutTests/ChangeLog	2012-08-06 07:33:49 UTC (rev 124738)
+++ trunk/LayoutTests/ChangeLog	2012-08-06 07:50:14 UTC (rev 124739)
@@ -1,3 +1,13 @@
+2012-08-06  Douglas Stockwell  <[email protected]>
+
+        Crash in WebCore::RenderListItem::updateMarkerLocation
+        https://bugs.webkit.org/show_bug.cgi?id=90476
+
+        Reviewed by Abhishek Arya.
+
+        * fast/lists/list-marker-remove-crash-expected.txt: Added.
+        * fast/lists/list-marker-remove-crash.html: Added.
+
 2012-08-06  Kristóf Kosztyó  <[email protected]>
 
         [Qt] Unreviewed gardening. Skip the failing tests.

Added: trunk/LayoutTests/fast/lists/list-marker-remove-crash-expected.txt (0 => 124739)


--- trunk/LayoutTests/fast/lists/list-marker-remove-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/lists/list-marker-remove-crash-expected.txt	2012-08-06 07:50:14 UTC (rev 124739)
@@ -0,0 +1 @@
+PASS

Added: trunk/LayoutTests/fast/lists/list-marker-remove-crash.html (0 => 124739)


--- trunk/LayoutTests/fast/lists/list-marker-remove-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/lists/list-marker-remove-crash.html	2012-08-06 07:50:14 UTC (rev 124739)
@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<button></button>
+<script>
+document.designMode="on";
+var steps = [
+    "SelectAll",
+    "InsertUnorderedList",
+    "Italic",
+    "InsertOrderedList",
+    "InsertHorizontalRule",
+    "SelectAll",
+    "InsertUnorderedList",
+    "InsertHorizontalRule",
+    "InsertParagraph",
+    "InsertUnorderedList"
+];
+if (window.testRunner)
+    testRunner.dumpAsText();
+while (steps.length)
+    document.execCommand(steps.shift(), false);
+document.documentElement.innerHTML = 'PASS';
+</script>

Modified: trunk/Source/WebCore/ChangeLog (124738 => 124739)


--- trunk/Source/WebCore/ChangeLog	2012-08-06 07:33:49 UTC (rev 124738)
+++ trunk/Source/WebCore/ChangeLog	2012-08-06 07:50:14 UTC (rev 124739)
@@ -1,3 +1,20 @@
+2012-08-06  Douglas Stockwell  <[email protected]>
+
+        Crash in WebCore::RenderListItem::updateMarkerLocation
+        https://bugs.webkit.org/show_bug.cgi?id=90476
+
+        Reviewed by Abhishek Arya.
+
+        In some cases an anonymous block is destroyed when its last child is
+        removed. RenderListItem did not expect this and has it's own logic for
+        cleaning up such blocks when the list marker is removed. Detect this
+        case in RenderBlock::removeChild to defer to the logic in RenderListItem::updateListMarker.
+
+        Test: fast/lists/list-marker-remove-crash.html
+
+        * rendering/RenderBlock.cpp:
+        (WebCore::RenderBlock::removeChild):
+
 2012-08-06  Ilya Tikhonovsky  <[email protected]>
 
         Web Inspector: NMI: replace addString with addMember overload function.

Modified: trunk/Source/WebCore/rendering/RenderBlock.cpp (124738 => 124739)


--- trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-08-06 07:33:49 UTC (rev 124738)
+++ trunk/Source/WebCore/rendering/RenderBlock.cpp	2012-08-06 07:50:14 UTC (rev 124739)
@@ -1224,7 +1224,7 @@
 
         // If we are an empty anonymous block in the continuation chain,
         // we need to remove ourself and fix the continuation chain.
-        if (!beingDestroyed() && isAnonymousBlockContinuation()) {
+        if (!beingDestroyed() && isAnonymousBlockContinuation() && !oldChild->isListMarker()) {
             RenderObject* containingBlockIgnoringAnonymous = containingBlock();
             while (containingBlockIgnoringAnonymous && containingBlockIgnoringAnonymous->isAnonymousBlock())
                 containingBlockIgnoringAnonymous = containingBlockIgnoringAnonymous->containingBlock();

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes